vulnerability
FreeBSD: VID-d34bef0b-f312-11eb-b12b-fc4dd43e2b6a (CVE-2021-33037): tomcat -- HTTP request smuggling in multiple versions
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Aug 1, 2021 | Nov 4, 2022 | Dec 10, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Aug 1, 2021
Added
Nov 4, 2022
Modified
Dec 10, 2025
Description
Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab reports: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Solutions
freebsd-upgrade-package-tomcat85freebsd-upgrade-package-tomcat9freebsd-upgrade-package-tomcat10
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.